HDPA (Greece) - 38/2022

From GDPRhub
Revision as of 09:53, 20 December 2022 by Kk (talk | contribs)
HDPA - 38/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 51 GDPR
Article 55 GDPR
Law 3471/2006 article 12
Law 4624/2019 article 9
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.07.2022
Published: 02.12.2022
Fine: 150.000 EUR
Parties: Individuals
Vodafone
National Case Number/Name: 38/2022
European Case Law Identifier: https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf
Appeal: n/a
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services.

English Summary

Facts

Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour.

The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.

Holding

First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.

Second, the DPA recalled that Article 12(1) of Law 3471/06 on electronic communication service obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.

Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.

In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of Article 12 of Law 3471/06.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, following complaints and related notifications, became aware of incidents of unauthorized access by malicious third parties to data of mobile phone subscribers. The access took place following requests to change the SIM card of subscribers and was due to problems with the process of identifying subscribers when such requests were made, either as a result of insufficient security measures or following a faulty implementation of existing measures. The Authority assessed the number of incidents, as well as the actions of the controller in order to deal with them, and imposed a fine of 150,000 euros for the above violations of the provisions of Article 12 of Law 3471/2006.